These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others.

Vulnerable Products

Cisco IOS XE Software Malformed ICMP Packet Denial of Service Vulnerability: Cisco IOS XE Software contains a vulnerability that could cause an affected device to reload when processing malformed ICMP error packets that belong to a TCP or UDP connection that is inspected by a Zone-Based Firewall (ZBFW). The ZBFW is not enabled by default.

Cisco IOS XE Software PPTP Traffic Denial of Service Vulnerability: Cisco IOS XE Software contains a vulnerability that may cause an affected device to reload while processing Point-to-Point Tunneling Protocol (PPTP) packets that undergo Network Address Translation (NAT) and PPTP application layer gateway (ALG) inspection. An attacker could exploit this vulnerability by sending a large number of PPTP packets to traverse a device that is configured for NAT.

Cisco IOS XE Software TCP Segment Reassembly Denial of Service Vulnerability: Cisco IOS XE Software contains a vulnerability that may cause an affected device to reload while processing segmented TCP packets that undergo Network Address Translation (NAT). An attacker could exploit this vulnerability by sending TCP packets that are large after the segment reassembly is complete when these packets traverse a device that is configured for NAT.

Cisco IOS XE Software Malformed EoGRE Packet Denial of Service Vulnerability: Cisco IOS XE Software contains a vulnerability that may cause an affected device to reload while processing malformed IP version 4 (IPv4) or IP version 6 (IPv6) Ethernet over Generic Routing Encapsulation (EoGRE) packets on an interface configured with EoGRE. EoGRE is not enabled by default.

Details

Cisco IOS XE Software Malformed ICMP Packet Denial of Service Vulnerability: A vulnerability in the Zone-Based Firewall (ZBFW) TCP or UDP inspection feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to improper processing of malformed ICMP error packets traversing a vulnerable device that belong to a TCP or UDP connection that is inspected by a ZBFW. An attacker could exploit this vulnerability by sending a number of malformed ICMP error packets that belong to an inspected TCP or UDP session. An exploit could allow the attacker to cause a reload of the affected device, resulting in DoS condition.

Cisco IOS XE Software PPTP Traffic Denial of Service Vulnerability: A vulnerability in the PPTP ALG feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to the improper handling of PPTP packets that are being inspected as part of the NAT feature on Cisco IOS XE Software. An attacker could exploit this vulnerability by sending a large number of PPTP packets to traverse a vulnerable system that is configured for NAT. A successful exploit could allow the attacker to cause a system to reload, resulting in a DoS condition. Repeated exploitation could result in a sustained DoS condition.

Cisco IOS XE Software TCP Segment Reassembly Denial of Service Vulnerability: A vulnerability in TCP segment reassembly of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to improper processing of large TCP reassembled packets that are being processed by NAT and ALG features on the affected device. An attacker could exploit this vulnerability by sending a TCP packet that is large after the reassembly to traverse a vulnerable device. Only packets being handled by NAT and ALG features have a potential to cause an affected device to reload. An exploit could allow the attacker to cause a reload of the affected device, resulting in a DoS condition.

Cisco IOS XE Software Malformed EoGRE Packet Denial of Service Vulnerability: A vulnerability in the EoGRE feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to improper processing of malformed EoGRE packets. An attacker could exploit this vulnerability by sending malformed IPv4 or IPv6 EoGRE packets to an affected device configured with an EoGRE interface; this vulnerability cannot be exploited by sending malformed EoGRE packets to traverse a vulnerable system. An exploit could allow the attacker to cause a reload of the affected device, resulting in a DoS condition.

ImpactSuccessful exploitation of any of the following vulnerabilities may allow a remote, unauthenticated attacker to reload the embedded services processors (ESP) card, causing service interruption:

Cisco IOS XR Software Route Processor Denial of Service VulnerabilityCisco IOS XR Software Releases 3.3.0 to 4.2.0 contain a vulnerability when handling fragmented packets that could result in a denial of service (DoS) condition of the Cisco CRS Route Processor cards listed in the “Affected Products” section of this advisory.

Details
Cisco IOS XR Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

The vulnerability is due to improper processing of fragmented packets by the following:

Cisco CRS 16-Slot Line Card Chassis Route Processor (RP-A)

Cisco CRS 16-Slot Line Card Chassis Route Processor B (RP-B)

Carrier Routing System (CRS) Performance Route Processor (PRP)

Cisco CRS Distributed Route Processor (DRP-B)

An attacker could exploit this vulnerability by sending fragmented packets to a vulnerable system; this vulnerability cannot be triggered by IP traffic traversing a vulnerable device. An exploit could allow the attacker to cause the packets originating on the Route Processor CPU to stop transmitting to the fabric, resulting in a DoS condition.

This vulnerability can be triggered by both IPv4 and IPv6 traffic and does not require a TCP three-way handshake.

ImpactSuccessful exploitation of the vulnerability could cause the route processor on an affected device to stop transmitting packets from the route processor CPU to the fabric. As a result, the affected RP-A, RP-B, PRP, or DRP-A will experience a DoS, failing to transmit all of its route processor-based protocols (for example, Intermediate System-to-Intermediate System, Border Gateway Protocol, ICMP).

These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the other.

Vulnerable ProductsAll versions of Cisco ISE Software running on supported appliances and virtual machine may affected by these vulnerabilities. Consult the “Software Versions and Fixes” section of this security advisory for more information about the affected versions.

Cisco ISE Authenticated Arbitrary Command Execution Vulnerability: A vulnerability in the web framework of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by injecting arbitrary commands and execute the affected function. An exploit could allow the attacker to run arbitrary commands on the affected system with the privilege of the root user.

Cisco ISE Support Information Download Authentication Bypass Vulnerability: A vulnerability in the implementation of the authentication code that is used to validate requests to download a product support bundle could allow an unauthenticated, remote attacker to download a full product support bundle. The vulnerability is due to an error in the logic that is used to validate support bundle access requests. An attacker could exploit this vulnerability by sending a crafted request to the vulnerable system. An exploit could allow an attacker to obtain a full copy of the product configuration or other sensitive information including administrative credentials.

Vulnerable ProductsAll software releases for the following Cisco products are affected by this vulnerability:

Cisco Business Edition 3000

Cisco Identity Services Engine (ISE)

Cisco Media Experience Engine (MXE) 3500 Series

Cisco Unified SIP Proxy (CUSP)

DetailsThe vulnerability is due to insufficient sanitization of user-supplied input. An attacker could exploit this vulnerability by sending crafted requests consisting of Object-Graph Navigation Language (OGNL) expressions. An exploit could allow the attacker to execute arbitrary code on the targeted system. The impact of this vulnerability on Cisco products varies depending on the affected product. Successful exploitation on Cisco ISE, Cisco Unified SIP Proxy, and Cisco Business Edition 3000 could result in an arbitrary command executed on the affected system. There is no authentication needed to execute the attack on Cisco ISE and Cisco Unified SIP Proxy. To exploit this vulnerability on Cisco Business Edition 3000, the attacker must provide valid credentials or persuade a user with valid credentials to execute a malicious URL.

Successful exploitation on the Cisco MXE 3500 Series could allow the attacker to redirect the user to a different and possibly malicious website, however arbitrary command execution is not possible on this product.

ImpactThe impact of this vulnerability on Cisco products varies depending on the affected product. Successful exploitation on Cisco ISE, Cisco Unified SIP Proxy, and Cisco Business Edition 3000 could result in an arbitrary command executed on the affected system. There is no authentication needed to execute the attack on Cisco ISE and Cisco Unified SIP Proxy. To exploit this vulnerability on Cisco Business Edition 3000, the attacker must provide valid credentials or persuade a user with valid credentials to execute a malicious URL.

Successful exploitation on the Cisco MXE 3500 Series could allow the attacker to redirect the user to a different and possibly malicious website, however arbitrary command execution is not possible on this product.

SQL*Net Inspection Engine Denial of Service Vulnerability: Cisco FWSM Software is affected by this vulnerability if SQL*Net inspection is enabled. To determine whether SQL*Net inspection is enabled use the show service-policy | include sqlnet command.

DetailsCisco FWSM Command Authorization Vulnerability: The vulnerability is due to insufficient authorization safeguards of certain administrative commands in a user context when the affected system is configured for multiple context mode. An attacker could exploit this vulnerability by executing certain commands in any of the user contexts of the affected system.

SQL*Net Inspection Engine Denial of Service Vulnerability: A vulnerability in SQL*Net inspection engine code could allow an unauthenticated, remote attacker to cause a reload of the affected system. The vulnerability is due to improper handling of segmented Transparent Network Substrate (TNS) packets. An attacker could exploit this vulnerability by sending a crafted sequence of segmented TNS packets through the affected system.

ImpactSuccessful exploitation of the Cisco FWSM Command Authorization Vulnerability may result in a complete compromise of the confidentiality, integrity and availability of the affected system. Successful exploitation of the SQL*Net Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a DoS condition.

These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others.

Vulnerable Products

IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability: To be vulnerable, Cisco ASA Software must have at least one IPsec VPN tunnel with active traffic passing through the tunnel. This vulnerability cannot be exploited if offending packets are flowing through an SSL/TLS based VPN tunnel.

SQL*Net Inspection Engine Denial of Service Vulnerability: Cisco ASA Software is affected by this vulnerability if SQL*Net inspection is enabled.

Digital Certificate Authentication Bypass Vulnerability: Cisco ASA Software is affected by this vulnerability in either of the following cases:

Clientless or AnyConnect SSL VPN is configured to use digital certificate authentication

Cisco ASDM is configured to use digital certificate authentication

Remote Access VPN Authentication Bypass Vulnerability: Cisco ASA Software is affected by this vulnerability if all of the following conditions apply:

It is configured for either Clientless or AnyConnect VPN, IKEv1 and IKEv2 Remote IPsec VPN and L2TP/IPsec VPN

The remote VPN is authenticated via a remote AAA server using LDAP

The override-account-disable option is configured under the tunnel-group general-attributes settings.

Cisco ASA Software using any other remote AAA server or local AAA server for authentication of remote VPN is not affected by this vulnerability. Additionally, Cisco ASA Software configured for LAN-to-LAN IPsec VPN is not affected by this vulnerability.

HTTP Deep Packet Inspection Denial of Service Vulnerability: Cisco ASA Software is affected by this vulnerability if HTTP Deep Packet Inspection (DPI) is configured with any of the following options:

The spoof-server parameters option is enabled

The mask option is enabled and is inspecting the HTTP response with active-x in the body

The mask option is enabled and is inspecting the HTTP response with java-applet in the body

DNS Inspection Denial of Service Vulnerability: Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.

Crafted ICMP Packet Denial of Service Vulnerability: Cisco ASA Software is vulnerable if the ICMP inspection engine is configured to inspect ICMP packets that are traversing the firewall or if ICMP packets targeting firewall interfaces are allowed to be processed

Details

IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability: The vulnerability is due to an error in the code that decrypts packets transiting an active VPN tunnel. In particular the code is failing at properly handling crafted ICMP packets after a decryption operation. An attacker could exploit this vulnerability by sending crafted ICMP packets through an active VPN tunnel. An exploit could allow the attacker to cause a reload of the device that performs the decryption operation.

SQL*Net Inspection Engine Denial of Service Vulnerability: The vulnerability is due to improper handling of segmented Transparent Network Substrate (TNS) packets. An attacker could exploit this vulnerability by sending a crafted sequence of segmented TNS packets through the affected system.

Digital Certificate Authentication Bypass Vulnerability: The vulnerability is due to an error in handling a client crafted certificate during the authentication phase. An attacker could exploit this vulnerability by trying to authenticate to the affected system using a crafted certificate. An exploit could allow the attacker to bypass the certificate authentication. Depending on the Cisco ASA configuration, this may allow the attacker to authenticate and access the network via Clientless or Anyconnect SSL VPN or to get administrative management access via Cisco Adaptive Security Device Management (ASDM).

Remote Access VPN Authentication Bypass Vulnerability: The vulnerability is due to improper parsing of the LDAP response packet received from a remote AAA LDAP server when the override-account-disable option is configured in the general-attributes of the tunnel-group. An attacker could exploit this vulnerability by attempting to authenticate via remote VPN to the affected system. An exploit could allow the attacker to bypass the authentication and gain access to the network via remote VPN. This vulnerability affects Cisco ASA Software configured for Clientless or AnyConnect SSL VPN, IKEv1 and IKEv2 Remote IPsec VPN and L2TP/IPsec VPN. Additionally an external AAA LDAP server should be in use for remote VPN authentication service. Cisco ASA Software using any other protocol for remote AAA service or local AAA server for authentication of remote VPN is not affected by this vulnerability. Cisco ASA Software configured for LAN-to-LAN VPN is not affected by this vulnerability.

Digital Certificate HTTP Authentication Bypass Vulnerability: The vulnerability is due to an error in the implementation of the authentication-certificate option, which enables client-side digital certificate authentication. An attacker could exploit this vulnerability by trying to authenticate to an interface of the affected system where Cisco ASDM is enabled.

HTTP Deep Packet Inspection Denial of Service Vulnerability: The vulnerability is due to improper handling of a race condition when the HTTP DPI engine is inspecting HTTP packets and either the spoof-server parameters option is enabled or the Cisco ASA Software is configured to inspect and mask the HTTP response including active-x or java-applet in the response body. An attacker could exploit this vulnerability by sending a crafted HTTP response through the affected system.

DNS Inspection Denial of Service Vulnerability: The vulnerability is due to improper processing of unsupported DNS over TCP packets by the DNS inspection engine. An attacker could exploit this vulnerability by sending crafted DNS messages over TCP through an affected device.

AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability: The vulnerability is due to improperly clearing unused memory blocks after an AnyConnect SSL VPN client disconnects. An attacker could exploit this vulnerability by sending traffic to the IP address of the disconnected client. This vulnerability affects Cisco ASA Software configured for AnyConnect SSL VPN. Cisco ASA Software configured for Clientless SSL VPN, IKEv1 and IKEv2 remote IPsec VPN, LAN-to-LAN VPN or L2TP/IPSEC VPN is not affected by this vulnerability.

Clientless SSL VPN Denial of Service Vulnerability: The vulnerability is due to improper handling of crafted HTTPS requests against the Cisco ASA Software configured for Clientless SSL VPN. An attacker could exploit this vulnerability by sending crafted HTTPS requests targeting the TCP port open for the Clientless SSL VPN feature. This vulnerability affects Cisco ASA Software configured for Clientless SSL VPN. Cisco ASA Software configured for Anyconnect SSL VPN, IKEv1 and IKEv2 remote IPsec VPN, LAN-to-LAN VPN or L2TP/IPSEC VPN is not affected by this vulnerability.

Crafted ICMP Packet Denial of Service Vulnerability: The vulnerability is due to improper handling of crafted ICMP packets. An attacker could exploit this vulnerability by sending a number of crafted ICMP packets to or through an affected device. An exploit could allow the attacker to clear arbitrary connections on the firewall or cause a reload of the affected device, leading to a denial of service (DoS) condition.

ImpactSuccessful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability, and Clientless SSL VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a DoS condition.

Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability, and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to the inside network via remote access VPN or management access to the affected system via the Cisco ASDM.

Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic.

Successful exploitation of the Crafted ICMP Packet Denial of Service Vulnerability may cause valid connections that are passing through the affected system to be dropped, or cause a reload of the system, leading to a DoS condition.

DetailsThe vulnerability is due to the failure of the device to release memory of allocated UDP packets when the packet queues are full. An attacker could exploit this vulnerability by potentially sending traffic to listening UDP services on the affected device. An exploit could allow the attacker to cause the device to exhaust all available memory, causing the device to be unable to allocate memory for packets sent to it.

ImpactSuccessful exploitation of the vulnerability could cause critical services on the affected device to fail, resulting in a DoS condition.